WordPress is the most widely used self-hosted content management software (CMS) online. As such, attacks are more common than Microsoft Windows. Open source software, hosted on GitHub. Hackers are constantly looking for vulnerabilities and bugs that could be exploited to gain access other WordPress sites.
The simplest thing you can do to ensure the security of your WordPress installation is to make sure it runs the most recent version of WordPress.org software, and that all themes and plugins are updated. There are a few other things that you can do to increase the security of your WordPress blogs.
1. Log in to your WordPress account
The default user for a WordPress blog is “admin”. To manage your WordPress blog, you should create another user. You can either remove the “admin user” or change the role to “subscriber”.
You have two options: create a random username (hard to guess), or enable single-sign-on with Jetpack, and then log in to your self-hosted WordPress site using your WordPress.com account.
2. Your WordPress version should not be advertised to the rest of the world
WordPress websites always post the version number, making it easy for others to see if they are using an old version of WordPress.
You can delete the WordPress version page easily, but there is one more step. You must delete the file in your WordPress installation directory. It advertises your WordPress version to everyone.
3. Do not allow others to “Write” in your WordPress directory
To see a complete list of directories that allow other users to write files, log in to your WordPress Linux shell.
Find. -type d -perm -o=w
To set permissions for your WordPress files and folders ( refer ), you may also need to run the following commands in your shell
find /your/wordpress/folder/ -type d -exec chmod 755 \; find /your/wordpress/folder/ -type f -exec chmod 644 \;
755 (rwxrxrxrx) is the permission to write permission for directories. Others have permission to read and execute permissions. Files are 644 (rwxr–r–-), which means that only the file owner has read and written permissions, while other can only read them.
4. Rename your WordPress tables prefix
Your WordPress tables names will be wpposts and wp_users if you installed WordPress with the default options. It is a good idea, therefore, to change the prefix of tables to some random value. With a single click, the Change DB PREFIX plugin allows you to rename your table prefix.
5. Stop users browsing your WordPress directory.
This is crucial. This is important.
Options-Indexes
This will prevent anyone outside of your directory from seeing the files in your directory.
6. Update the WordPress Security Keys
To generate six security keys to your WordPress blog, go here The wpconfig.php file is located in the WordPress directory. Replace the default keys by the new ones.
These random salts increase the security of your WordPress passwords. Another advantage is that if someone logs in to WordPress without you knowing, their cookies will be invalidated and they will be logged out.
7. Keep a log for WordPress PHP and Database errors
Sometimes, the error logs can give strong clues as to what type of file requests and invalid queries are hitting your WordPress installation. The Error log Monitor is my favorite. It periodically sends error logs to you by email and displays them as widgets within your WordPress dashboard.
Add the following code in your WordPress wp-config.php file. Remember to replace the /path/to/error.log line with your actual log file path. The error.log file must be located in an unaccessible folder ( reference).
define(‘WP_DEBUG’, true); if (WP_DEBUG) { define(‘WP_DEBUG_DISPLAY’, false); @ini_set(‘log_errors’, ‘On’); @ini_set(‘display_errors’, ‘Off’); @ini_set(‘error_log’, ‘/path/to/error.log’); }
9. Password Protect the Admin Dashboard
It’s a good idea to password protect the wp-admin area of WordPress. This is because the files within this area are not intended for visitors to your WordPress public website. To log in to their WordPress Admin dashboard, authorized users will need to use two passwords.
10. Monitor login activity on your WordPress server
To see a list of users who have logged in to your WordPress server, you can use the Linux command “last-i” to obtain their IP addresses. It is time to change your password if you see an unidentified IP address in the list.
The following command will also show user login activity over a longer time period, grouped by IP addresses. (replace USERNAME in your shell username).
last -if /var/log/wtmp.1 | grep USERNAME | awk ‘{print $3}’ | sort | uniq -c
Use plugins to monitor your WordPress
WordPress.org contains a number of security-related plugins that will monitor your WordPress site for suspicious activity and intrusions. These are the ones I recommend.
- WordFence Security – This powerful security plugin is one you must have. It will instantly detect any changes by comparing your WordPress core files to the original files in the repository. The plugin will also lock out users after ‘n’ number of failed login attempts.
- Sucuri Safety – This monitors WordPress for changes to core files and sends emails when files or posts are updated. It also keeps a log of login activity, including failed logins.
Tip: The following Linux command can be used to obtain a list all files modified within the past 3 days. To see files that were modified “n” minutes back, change mtime to modify mmin.
find . -type f -mtime -3 | grep -v “/Maildir/” | grep -v “/logs/”
Secure your WordPress Login Page
You can view your WordPress login page from anywhere in the world. However, you can block non-authorized users access to WordPress.
- Google Authenticator – This plugin adds two-step authentication to your WordPress blog, similar to your Google Account. Enter the code that was generated on your phone’s mobile device, as well as the password.